America’s appetite for natural gas has reignited a long-standing debate over which federal body should oversee the security of natural gas and oil pipelines.
With the U.S. increasingly reliant on natural gas for power, the Federal Energy Regulatory Commission wants the Energy Department to take over control of pipeline security from the Transportation Security Administration, an agency under the Department of Homeland Security.
While that realignment would take an act of Congress, two FERC members argue the Energy Department is better positioned to impose mandatory cybersecurity requirements on pipelines and ensure they’re enforced, replacing the TSA’s voluntary guidelines.
“A pipeline outage, which may be connected to eight or nine generators, poses far more significant consequences today than it did in the past,” Neil Chatterjee, a Republican FERC commissioner, told Bloomberg Environment. Democratic FERC Commissioner Richard Glick also backs a bigger role for the Energy Department.
FERC Chairman Kevin McIntyre declined to specify which agency should handle pipeline cybersecurity, but said: “There should be no aspect of our nation’s critical energy infrastructure that is left unprotected in a cyber-sense, by whatever means we need to do that.”
McIntyre would support FERC moving toward cybersecurity actions related to pipelines “at some appropriate point in time, we’re just not there now,” he told reporters June 21.
Energy Secretary Rick Perry suggested his agency take a lead role in coordinating with other federal agencies on pipeline cybersecurity in a March letter responding to a congressional inquiry. The Energy Department didn’t respond to requests for additional comment.
To confuse matters further, the Transportation Department also has a role in pipeline safety, through its Pipeline and Hazardous Materials Safety Administration (PHMSA).
Potential for Outages
Natural gas now supplies 32 percent of the U.S.'s electricity, up from 18 percent in 2002, according to the Energy Information Administration.
That greater dependence increases concerns about a cyberattack that could turn off natural gas pipeline flows remotely to several power plants at once, potentially causing large power outages. Those kind of one-hit outages weren’t as easy to envision in the past, when more power plants were individually sourced by on-site coal or nuclear power.
The Trump administration is considering invoking a 1950’s-era national security law as a pathway to stem coal and nuclear plant closures. Among the administration’s arguments for keeping these plants open is a need to protect grid security—although critics question the contention that on-site power sources are necessarily more secure than pipelines.
To date, Homeland Security is unaware of any confirmed or validated cyber intrusions that penetrated a pipeline industrial control system and led to a physical impact, a department official who spoke on condition of anonymity told Bloomberg Environment. But the department said cyber intrusions have occurred against the corporate networks of pipeline companies.
Congressional Action Unlikely
Congress isn’t likely to act, especially during a midterm election cycle with a shrinking legislative calendar.
“Congress views pipelines as part of the transportation system,” Brigham McCown, chairman of the Alliance for Innovation and Infrastructure, a nonprofit advocacy group focused on infrastructure safety, told Bloomberg Environment. “It’s not energy as DOE would define it for jurisdictional purposes.”
McCown served as the head of PHMSA—a separate agency in the Transportation Department that oversees aspects of pipeline safety—under President George W. Bush.
The American Gas Association says the voluntary TSA security guidelines—last updated in March—are working well. The trade organization represents 200 energy companies that deliver natural gas, including members such as Exelon Corp., Dominion Energy, and Southern Co.
No Mandatory Standards
TSA has six budgeted personnel positions to oversee the cybersecurity and physical security of more than 2.7 million miles of natural gas, oil, and other hazardous liquid pipelines in the country. It declined to say whether all six positions are currently filled.
That compares to more than 300 employees in charge of pipeline safety at PHMSA. And while TSA has the authority to enforce mandatory standards, it instead relies on voluntary ones developed with industry.
“In partnership voluntary mode, the guidelines serve as a springboard for where you should start and then you go up from there,” Kimberly Denbow, the American Gas Association’s senior director of security, operations, and engineering services, told Bloomberg Environment.
Regulations, on the other hand, “tend to be a glass ceiling and you’re not motivated to go beyond regulations, but with guidelines you’re motivated to do the most for your company,” Denbow said.
Regulations vs. Voluntary Measures
The guidelines were developed by industry along with federal and state governments, Denbow said.
The TSA physically inspects the top 100 critical pipeline facilities, based on pipelines with the greatest throughput of oil and natural gas, as mandated by Congress. Since 2008, when the inspections began, TSA has conducted more than 400 inspections of these facilities.
Unlike the U.S., the rest of the world is moving toward regulations for pipeline security, James Lewis, a senior vice president at the Center for Strategic & International Studies who tracks security and technology issues, told Bloomberg Environment.
“In all of these voluntary measures, we don’t know if they’re working. If they are working, I don’t think people need to fear being held to some standard,” Lewis said.
Even the North American Electric Reliability Corp., the nonprofit organization in charge of developing reliability and cybersecurity standards for the U.S. electric grid, suggested in a report last fall that “gas industry regulators should be engaged to establish cybersecurity standards that match those of the NERC reliability standards.”
Act of Congress
Congress is considering four bipartisan cybersecurity bills. One in particular—H.R. 5175—wouldn’t change the authority to the Energy Department, but it would direct the department to work closely with states, federal, and industry groups on better cybersecurity coordination.
“These bills, especially H.R. 5175, the Pipeline and LNG Facility Cybersecurity Preparedness Act, are a step in the right direction to strengthen DOE’s capabilities to respond to and protect against physical and cybersecurity threats,” Rep. Fred Upton (R-Mich.), chairman of the House Energy and Commerce Committee energy subcommittee, told Bloomberg Environment.
The Association of Oil Pipe Lines, representing large oil pipeline companies, and the Interstate Natural Gas Association of America, representing gas pipeline companies, opposed moving pipeline security from TSA to the Energy Department.
Instead, they want a memorandum of understanding between the Energy Department and other federal agencies spelling out responsibilities.
Dearth of Data
Because reporting is voluntary, a large gap exists in public data on how many cyberattacks or attempted attacks occur on U.S. pipelines.
The DHS’ National Cybersecurity and Communications Integration Center has experienced an uptick in the number of requests for assistance in hunting and responding to cyber incidents in recent years. In fiscal year 2017, it received five requests for assistance related to actual or possible cyber incidents in oil or gas pipelines, and in just the first half of fiscal 2018 alone it has received seven requests for assistance, a DHS official told Bloomberg Environment.
The Government Accountability Office is studying currently TSA’s oversight of pipelines and plans to make recommendations on which federal agency should lead mandatory pipeline security standards. Sen. Maria Cantwell (D-Wash.), ranking member of the Senate Energy and Natural Resources Committee, sought the report, which is expected this fall.
‘How Am I Doing?’
A 2017 report from the Poneman Institute, which researches information security, found that 61 percent of 377 individuals responsible for operations technology at companies believe their organizations have difficulty mitigating cyber risks across the oil and gas value chain. Also, 48 percent of respondents said they are in compliance with security standards and guidelines in the oil and gas industry.
Data on cybersecurity attacks on pipelines is a big gap in the industry today, Eitan Goldstein, senior director of strategic initiatives at Tenable Inc., a cybersecurity solutions vendor, told Bloomberg Environment.
“The data is critical because organizations need to be able to say, ‘How am I doing over time?’ ‘How am I doing relative to my peers?’” he said. “Right now they are having trouble measuring how they are doing.”
But the cybersecurity of oil and gas pipelines has been an increasing priority for companies looking for solutions the last two years, he said.
“It’s top of mind,” Goldstein said. “I think it’s an issue going all the way up to the C-suite today.”